Most CAs are not regulated.

Certificate Authorities are trusted primarily through industry standards and independent audits rather than universal government licensing. In practice, trust in CAs comes from adherence to rules like the Baseline Requirements set by the CA/Browser Forum and regular audits (for example, WebTrust or similar assessments) that verify how they validate identities, protect keys, and handle revocation. These controls are adopted across many CAs and are enforced by browser vendors, which decide which certificates to trust. While some jurisdictions do regulate CAs under specific laws, this is not universal, and the vast majority operate under industry standards and cross‑border agreements rather than direct government regulation. So, the statement aligns with how the PKI ecosystem is typically governed, making it the best answer.